Possible new multi-exploit bot or worm (request for information), Rose IP Fragmentation, Scammers making use of backdoored machines
--------------------------------------

There have been multiple reports of a new multi-exploit bot or worm, however none of the handlers have been able to get a code capture yet. This new item has been attempting an overflow on the following ports:

1025, 135, 139, 2745, 3127, 445, 6129, 80, 8080

Though there have been very minor variations in the ports that have been reported. (Port 8080 and 139 were missing in two reports, for instance). The ports listed are either ports typically open for other services, or, opened by MyDoom and the other flurry of competing worm versions.

Reports of this particular traffic go back as far as March 25th by some accounts. If you have more information on this, especially code captures, please contact the handlers.

While this diary entry was being written, someone provided what could be more information on the subject: this may be a modified W32/Agobot-EM that doesn't show up in current Sophos & Symantec definitions. The same reg keys, file names, and hosts file modifications are made. More information can be found here, if this is indeed the same item:

There's a new fragmentation attack (called the Rose Attack) that affects a variety of systems. The attack can cause dropped (legitimately fragmented) packets, rejected fragmented packets, or CPU hanging depending on the system. The announcement of this technique is here:

While many of the worms out there are being used to create great places for Spammers to do thier dirty work, a new use these machines have surfaced. Scam creators are using these machines to run fake online stores and credit card scams from them. Utilizing home machines makes the job of tracking the scams down just a little bit harder: